Why containers, how the idea starts?
- VM to container
Light weight => less main memory => higher throughput
Why throughput oriented servers needed? Microservice paradigm, clusters of identical service required. - Containers share single OS kernels but each container needs to keep its own system space, just like processes with their own virtual address space sharing single physical address space
- ideas of namespaces, cgroups, tes. in mid to late 2000's in order to provide kernel functionality to containers to provide resources management to individual container => implemented in the form of drivers for namespaces and container networking.(such as C++, C++11)
Arhitecture
Docker engine combines the namespaces, control groups and UnionFS into a wrapper called a container format. The default container format is libcontainer.
Each of containers A and B has its own naespaces. OS kernel limits the resources(CPU memory. etc.) to A and B according to cgroups on A and B
VM = virtualization on HW level
Container = virtualization on OS level
Cgroups and namespaces are features implemented to realize "original container" in mid 2000s as Linux project.
Namespaces = a set of names of objects managed by kernel such as process IDs, user IDs, file names, names associated network access, etc.
In a (virtual)host, OS manages all processes, i.e, monolithic namespaces because there is only one space of processes and system resources, files, physical memory and so on.
In containers, each set of containers needs to be isolated from each other.Thus separate namespaces for each set of containers.
Cgroups are a Linux kernel feature that limits and isolates the resource usage of a collection of processes.
In order to share OS kernel, all the containers must be built on 'same' OS kernel meaning that systen calls are consistent. Docker Engine is responsible to administrate different kernel versions to make sure that all the system calls each container invokes are compatible with the OS kernel shared by containers.
Namespaces
- Similar concept as Address spaces(in a virtual address) - process cannot access address spaces of others.
- Namespaces are a fundamental aspect of containers on Linux.
- Namespaces are a feature of the Linux kernel that partitions kernel resources such that one set of processes sees one set of resources while another set of processes sees a differnet set of resources.
- Resources may exist in multiple spaces. Examples of such resources are process IDs, hostnames, user IDs, file names, and some names associated with network access, and inter-process communication.
Namespaces & cgroups
Docker makes use of kernel namespaces to provide the isolated workspace called the container.
When you run a container, docker creates a set of namespaces for that container.
These namespaces provide a layer of isolation.
Docker also makes use of kernel control groups for resource allocation and isolation. A cgroup limits an application to a specific set of resources.
Control groups allow Docker Engine to share available hardware resources to containers and optionally enforce limits and constarints.
Docker Engine combines the namespaces, control groups and UnionFS into a wrapper called a container format. The default container format is libcontainer.
What about conflict on port number?
- Containers may need to communicate with other containers in a host and/or in other host
=> Container간 networking 시설이 요구된다.(ex. calico package) - 왜 host에 다수의 동일한 server apps가 필요한가?
만약 단일 core라면 container를 이용하는 장점이 없다.
다중 core라면 throughpyt과 serviceability가 좋아진다. - Host에 apps(docker containers)는 같은 port number를 사용할 수 없다.
Host는 unique한 port number를 각각의 app마다 할당되야 한다.
Docker에서는 reverse proxy SW를 사용해 다수의 Container들과 같은 port#을 host에서 사용한다. - In K8s, the pod이 virtual host인데 이부분이 tricky하다.
pod is a wrapper that provides management and networking facilities for containers tthat provides actual services. - Each pod has a unique IP address, DNS for pods, etc.
- K8s has way higher scalability, so it needs automated way to mange networking.
출처
홍익대학교 Software Engineering by prof.김한규
